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AMENDMENTS TO THE CLAIMS : 

This listing of claims will replace all prior versions, and listing, of claims in the application: 
Listing of Claims : 

1-35. (Canceled) 

36-37. (Withdrawn) 

38-39. (Canceled) 

40. (Currently Amended) A method for constraining delegation of service 

requests made by a first server on behalf of a client, by a client to a oorvcr, the method 
comprising: 

receiving, at the first server, an authentication mechanism for the client, wherein the 
authentication mechanism is generated using a first authentication method: 

a server identifyin g, by the first server, a target service to which access is sought on 
behalf of [[a]] the clien t, wherein the target service is resident on a target server; that has been 
authenticated using a first authentication method; 

sending a request to a trusted third-partv to issue a first service ticket to the first server 
for the client, wherein the first service ticket is adapted to be used with a second authentication 
method, and wherein the second authentication method is different from the first authentication 
method; 

receiving, at the first server, the first service ticket to the first server, wherein the first 
service ticket to the first server specifies that the first service ticket is d elegable through the 
presence of a forwardable flag in the first service ticket; 

requesting, by the first server, a target service ticket from the trusted third-party 
configured for use by the first server to access the target service on behalf of the client, wherein 
the first server provides the trusted third-partv with the first service ticket when requesting the 
target service ticket, and wherein the target service ticket is adapted to be used with the second 
authentication method; and 

sending the target service ticket to the target server. 



2 



U.S. Patent Application Serial No. 09/886,146 
Office Action Dated: October 16, 2008 

causing the server that is operatively coupled to the target sorvice and tho client to use a 
credential authenticating th o serv e r to roqu o ot a s o rvic o credential to itself from a second 
authentication method trusted third party by identifying the client and tho first authentication 
protocol method; and 

without participation of the oli o nt, causing tho server to request from tho second 
authentication method trusted third party a now sorvico cred e ntial for use by the s e rver and the 
target sorvico, from the second authentication method trusted third party, whoroin tho server 
provides tho trusted third party with the cr e dential authenticating th o sorver, information about 
tho target s o rvice, and the sendee credential to itself. 

41-42. (Canceled) 

43 . (Currently Amended) The method as recited in Claim 40, wherein the target 
service ticket s o rvic o cred e ntial is configured for use by the server and the target service to which 
access is sought. 

44-45. (Canceled) 

46. (Currently Amended) The method as recited in Claim 40, wherein the first server 
is a front-end serve r, and wherein the target server is a back-end server that is coupled to the first 
server, with r o spect to a back end server that is coupled to the front ond server, and wherein the 
back end sorver is configured to provid e the target s e rvice. 

47. (Original) The method as recited in Claim 40, wherein the first authentication 
method is selected from a group of authentication methods comprising Passport, SSL, NTLM, 
and Digest. 

48. (Original) The method as recited in Claim 40, wherein the second 
authentication method includes a Kerberos authentication protocol. 

49. (Currently Amended) A computer-readable storage medium on a first 
server storing computer-executable instructions for performing tasks for a method of 
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constraining delegation by a client to a server of service requests made by the first server on 
behalf of a client , the method comprising: 

receiving, at the first server, an authentication mechanism for the client, wherein the 
authentication mechanism is generated using a first authent ication method; 

a server identifyin g, bv the first server, a target service to which access is sought ©h 
behalf of a bythe clien t, wherein the target service is resident on a target server; that hao been 
authenticated using a first authentication method; 

causing the a o rvor that is oporativoly couplod to the targ e t service and the client to use a 
credential auth e nticating the server to roqueot a aorvioo ticket to itself from a second 
authentication m e thod trusted third party by identifying the cli e nt and the first authentication 
method protocol; 

sending a request to a trusted third-party to issue a first service ticket to the first server 
for the client, wherein the first service ticket is adapted to be used with a second authentication 
method, and wherein the second authentication method is different from the first au thentication 
method; 

receiving, at the first server, the first service ticket to the first server, wherein the first 
service ticket to the first server specifies that the first service ticket is delegable through the 
presence of a forwardable flag in the first service ticket; 

causing the server to reques ting, bv the first server, a [[new]] target service ticket from 
the trusted third-party configured for use bv the fist server to access the target service on behalf 
of the client, configured for use by tho aorvor to accoos tho new service without participation of 
tho client the identified sendee, from the second authentication m o thod trusted third party, 
wherein the first server provides the trusted third-party with the first service ticket when 
requesting the target service ticket, and wherein the target service ticket is ada pted to be used 
with the second authentication method; and credential authenticating the server to the client, 
information about tho targot oorvico, and tho sorvico ticket to itself; and 

sending the target service ticket to the target server- 
causing the second authentication method trusted third party to issue the new 
sorvico ticket allowing tho server to directly access tho now oorvic o when one of: 

the servico tick e t specifi o s the sorvico ticket is dol o gable; and 
tho second authentication method trusted third party maintains an 
indication that tho service ticket is delegable. 
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50. (Currently Amended) The computer-readable medium as recited in Claim 49, 
wherein the second auth e ntication method trusted third-party includes a key distribution center 
(KDC). 

51. (Canceled). 

52. (Currently Amended) The computer-readable medium as recited in Claim 49, 
wherein the [[new]] target service ticket is configured for use by the server and the target service. 

53 . (Currently Amended) The computer-readable medium as recited in Claim 49, 
further comprising authenticating the server to the trusted third-party, wherein [[the]] a credential 
authenticating the server to the trusted third-party includes a ticket granting ticket associated 
with the server. 

54. (Canceled). 

55. (Currently Amended) The computer-readable medium as recited in Claim 49, 
wherein the first server is a front-end serve r with respect to a back end server that is coupled to 
the front end server, and wherein the target server is a [[the]] back-end server that is coupled to 
the front-end server, is configured to provide the target sendee. 

56. (Original) The computer-readable medium as recited in Claim 49, wherein 
the first authentication method is selected from a group of authentication methods comprising 
Passport, SSL, NTLM, and Digest. 

57. (Original) The computer-readable medium as recited in Claim 49, wherein 
the second authentication method includes a Kerberos authentication protocol. 

58-61. (Canceled) 
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62. (New) A method, performed by a trusted third-party, of constraining delegation 
of service requests made by a first server on behalf of a client, the method comprising: 

receiving, at the trusted-third party, a first request from the first server for a first service 
ticket, wherein the first server provides evidence that the client has been authenticated to the first 
server using a first authentication method, and wherein the first service ticket is a service ticket 
granting the client access to services on the first server; 

sending the first service ticket to the first server, wherein the first service ticket is adapted 
to be used with a second authentication method, and wherein the second authentication method is 
different from the first authentication method; 

receiving a second request from the first server to access a target server, wherein the first 
server is requesting to access the target server on behalf of the client, and wherein the second 
request comprises the first service ticket; 

determining if the client has authorized delegation to the first server to request the access 
to the target service on the behalf of the client by checking the first service ticket for the presence 
of a forwardable flag; and 

if the forwardable flag is present in the first service ticket, generating a target service 
ticket and sending the target service ticket to the first server; 

if the forwardable flag is not present, denying the second request. 

63 . (New) The method of Claim 62, wherein the first authentication method is 
selected from a group of authentication methods comprising Passport, SSL, NTLM, and Digest. 

64. (New) The method of claim 62, wherein the second authentication method 
includes a Kerberos authentication protocol. 
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